Power Apps
CVE-2026-20960
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
AnalysisAI
Insufficient authorization controls in Microsoft Power Apps enable authenticated attackers to achieve remote code execution through network access. An attacker with valid credentials can bypass permission checks to execute arbitrary code within the affected environment. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-285 (Improper Authorization). Affects Power Apps. Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Power Apps
View allMicrosoft Power Apps (online) Spoofing Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely e
Microsoft Power Apps Spoofing Vulnerability. Rated low severity (CVSS 3.0), this vulnerability is remotely exploitable.
Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over
Same weakness CWE-285 – Improper Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today